Hacker News: ashishb

New comment by ashishb in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"

ashishb — Thu, 21 May 2026 01:01:14 +0000

Afaik, they eventually cleaned it up.

And it was each team owning multiple internal repos of their own deployments/libraries, and not, primarily, clones of public repos.

New comment by ashishb in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"

ashishb — Wed, 20 May 2026 20:39:59 +0000

Uber had 8000 repos at one point with 2000 engineers - https://highscalability.com/lessons-learned-from-scaling-ube...

New comment by ashishb in "I was asked to install malware during a fake interview"

ashishb — Thu, 14 May 2026 08:54:40 +0000

Yeah. Real profile names.

Unlikely that those guys were real. And I did reach out to them for explanation. Only to be blocked by both!

New comment by ashishb in "I was asked to install malware during a fake interview"

ashishb — Thu, 14 May 2026 06:11:54 +0000

This is just a negative filter to see as a warning sign. It is like walking into a dark alley at night.

Nothing might happen but you should be on the alert.

New comment by ashishb in "I was asked to install malware during a fake interview"

ashishb — Thu, 14 May 2026 06:10:18 +0000

Those were real companies. The conversation started online and immediately moved in-person.

I was never asked to install anything. I was not even given code access (without NDA) and I did get paid with equity/money in cases there was a mutual match and we proceeded.

New comment by ashishb in "I was asked to install malware during a fake interview"

ashishb — Thu, 14 May 2026 05:26:08 +0000

Not for someone who get 10-20 such requests a year. None till date were such scams.

I was asked to install malware during a fake interview

ashishb — Wed, 13 May 2026 20:57:56 +0000

Article URL: https://ashishb.net/security/contagious-interview/

Comments URL: https://news.ycombinator.com/item?id=48127469

Points: 54

# Comments: 10

New comment by ashishb in "Postmortem: TanStack NPM supply-chain compromise"

ashishb — Wed, 13 May 2026 18:55:01 +0000

> Also, Docker is a huge binary, run as root, with lot of APIs and wide attack surface.

You can run it without root. And that's what you should do.

> No Wayland, DBus, Pipewire, proc, sys filtering.

Yeah, I don't need Wayland for CLI tools. For others, you get them inside Docker, isolated from the rest of the system. When I run `npm install`, I want isolation.

New comment by ashishb in "Postmortem: TanStack NPM supply-chain compromise"

ashishb — Wed, 13 May 2026 07:05:24 +0000

Then try https://github.com/ashishb/amazing-sandbox

I use it every day for CLI tools

> How would you sandbox an Electron app

I haven't figured that out yet

New comment by ashishb in "Postmortem: TanStack NPM supply-chain compromise"

ashishb — Tue, 12 May 2026 16:17:49 +0000

Always run third-party code (especially npm packages) inside a sandbox, take your pick: ai-jail, bubblewrap, seatbelt, or amazing-sandbox (the last one, I wrote for myself after trying all others).

New comment by ashishb in "If AI writes your code, why use Python?"

ashishb — Tue, 12 May 2026 11:14:20 +0000

> Ive used python at scale and its fine if you have reasonably good code hygiene.

True but that's the problem. Once you have a big enough team, it becomes an uphill battle to maintain that.

New comment by ashishb in "If AI writes your code, why use Python?"

ashishb — Tue, 12 May 2026 09:30:05 +0000

Indeed. Python is faster to write and harder to maintain over the long run.

The "faster to write" advantage becomes less relevant if most code is going to be auto-generated.

The "harder to maintain" might still remain more relevant.

New comment by ashishb in "If AI writes your code, why use Python?"

ashishb — Tue, 12 May 2026 08:56:31 +0000

Python is amazing for scripting.

Python is terrible for writing big systems.

Projects whose V1 is written in Go/Rust/C++ don't normally go out and re-write V2 in Python.

The reverse is really common.

Even many famous Python packages are now Python wrappers.

https://ashishb.net/programming/python-in-production/

New comment by ashishb in "The surprisingly complex journey to text-selectable client-side generated PDFs"

ashishb — Sat, 09 May 2026 17:05:58 +0000

I didn't qualify.

And the reason was that majority of backend engineers have never worked on frontend.

At almost all big companies, the team working on the frontend problem is relatively small +and that's how it should be).

> In my experience it's the NON software engineers who tend to underestimate the complexity

Yeah. That too as well.

New comment by ashishb in "The surprisingly complex journey to text-selectable client-side generated PDFs"

ashishb — Fri, 08 May 2026 10:30:11 +0000

Software engineers drastically underestimates GUI - Web layouts, mobile app layouts, and even PDF layouts are non-trivial pieces of work to get right in all circumstances.

New comment by ashishb in "Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library"

ashishb — Thu, 30 Apr 2026 20:28:07 +0000

Always run third party code inside a sandbox

New comment by ashishb in "Waymo in Portland"

ashishb — Tue, 28 Apr 2026 19:32:22 +0000

> At least 80% of what you’re describing would be satisfied by trains and buses. It’s wild that Americans are so obsessed with self-driving cars while ignoring public transit that solves most of the problems. It’s reliable, more efficient, better for the environment, and less stressful for you.

So, let's say you take public transport from SF to Yosemite/Los Angeles. Now, how do I cover the last mile (or even multiple points)? Take more public transport? Hitchhike?

The reason long-distance public transport works well in Europe is that there is good local public transport in both the source and the destination cities. When that does not exist, you are better off driving.

New comment by ashishb in "Apple fixes bug that cops used to extract deleted chat messages from iPhones"

ashishb — Wed, 22 Apr 2026 22:32:38 +0000

This has nothing to do with Apple/Firebase notification service.

It has to do with the fact that any notification displayed on your device goes via a separate system service which was caching them.

It is amusing to see how often people confuse device notifications with Apple notification service.

New comment by ashishb in "Someone bought 30 WordPress plugins and planted a backdoor in all of them"

ashishb — Mon, 13 Apr 2026 20:12:02 +0000

WordPress was great because of the plugins.

WordPress is now a dangerous ecosystem because of the plugins and their current security model.

I moved to Hugo and encourage others to do so - https://ashishb.net/tech/wordpress-to-hugo/

New comment by ashishb in "Mercor says it was hit by cyberattack tied to compromise LiteLLM"

ashishb — Thu, 02 Apr 2026 10:01:47 +0000

And what are good options that you use and that work on Linux as well as Mac OS?